Cheat Engine
The Official Site of Cheat Engine

Author Message
tottiy
Newbie cheater
Reputation: 0

Joined: 29 Jul 2013
Posts: 14

 Posted: Sun Dec 03, 2017 4:56 pm    Post subject: how do i find a value that is generated at random? As the title says, I have a number that is randomly generated. my only way to find it is add one to value right after it is generated. so I can only find the value once but it is not being used again so I cant find what writes to it. I want to find a pointer to said value without using pointer scan. pls help! Game: Knights of Pen and Paper 2 Wanted Value: any/all dice roll values Extra: Use items in game-room to add 1 to any roll
OldCheatEngineUser
Whateven rank
Reputation: 7

Joined: 01 Feb 2016
Posts: 762

 Posted: Sun Dec 03, 2017 11:17 pm    Post subject: cheat engine tutorial is your friend to practice on, there are many steps that generate a random number. cheat engine tutorial is a perfect example for many cheat types. _________________About Me; I Use CE Since Version 1.X, And Still Learning How To Use It Well! patched cheat engine tutorials
tottiy
Newbie cheater
Reputation: 0

Joined: 29 Jul 2013
Posts: 14

Posted: Mon Dec 04, 2017 11:36 am    Post subject:

 OldCheatEngineUser wrote: cheat engine tutorial is your friend to practice on, there are many steps that generate a random number. cheat engine tutorial is a perfect example for many cheat types.

I completed the tutorial long ago. perhaps you misunderstand that the value is random on the same address so I will give an example.

Step A
First step: speedhack to slow game down so I can catch the value.
2nd: value is 12 > first scan 4byte = 12
3rd: after 0.25 second, value is 13 > next scan = 13 >Value found address = 18#####
4th: change value to 20 to get bonus. (Finding what writes to this value is useless because the writing is done and the code is abandoned after each roll)
5th: Find what writes this code
6th: Re-roll > no codes found

Step B
First step: speedhack to slow game down so I can catch the value.
2nd: value is 15 > first scan 4byte = 15
3rd: after 0.25 second, value is 16 > next scan = 16 >Value found address = 17A####
4th: change value to 20 to get bonus. (Finding what writes to this value is useless because the writing is done and the code is abandoned after each roll)
5th: Find what writes this code
6th: Re-roll > no codes found

So what I mean that each re-roll is written on a different address and that addresses are used only once each.
How do I get a pointer for the dice rolls?
OldCheatEngineUser
Whateven rank
Reputation: 7

Joined: 01 Feb 2016
Posts: 762

 Posted: Mon Dec 04, 2017 11:48 pm    Post subject: yes, i misunderstood but because of you said random value. but now its about addresses, anyways finding what writes to the address cant be useless as you are saying. for your info addresses get changed but CODE does not get change unless it meant to be changed with software update. try placing the debugger before changing the value to 20 to get bonus, then you might be able to find whats writing to it. or instead the second you find the address see whats accessing it and use that instruction as a pointer, remember that you can pause the game while scanning or you can also pause it from advanced options. this will give you more time to deal with this, as the game might be creating and destroying threads. _________________About Me; I Use CE Since Version 1.X, And Still Learning How To Use It Well! patched cheat engine tutorials
tottiy
Newbie cheater
Reputation: 0

Joined: 29 Jul 2013
Posts: 14

Posted: Tue Dec 05, 2017 5:19 pm    Post subject:

Thanks! I found a pointer that works -on some conditions...- and found a code.
Finally, I want to make it so when activate this script it always writes to 20. here is the code after CE framework and code injection template.

 Code: [ENABLE] //code from here to '[DISABLE]' will be used to enable the cheat alloc(newmem,2048) label(returnhere) label(originalcode) label(exit) newmem: //this is allocated memory, you have read,write,execute access //place your code here originalcode: mov [edi+30],eax mov eax,[00ABEDE0] exit: jmp returnhere 137223C4: jmp newmem nop nop nop nop returnhere:     [DISABLE] //code from here till the end of the code will be used to disable the cheat dealloc(newmem) 137223C4: mov [edi+30],eax mov eax,[00ABEDE0] //Alt: db 89 47 30 8B 05 E0 ED AB 00

how do i read this code and how do I get the roll always to 20?
OldCheatEngineUser
Whateven rank
Reputation: 7

Joined: 01 Feb 2016
Posts: 762

Posted: Tue Dec 05, 2017 10:01 pm    Post subject:

 Code: newmem: mov eax,14

you might need aob injection, since code injection gonna be useless at this point where no module addresses are used.
your script might not activate next time you reload the game.

_________________
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
patched cheat engine tutorials
tottiy
Newbie cheater
Reputation: 0

Joined: 29 Jul 2013
Posts: 14

Posted: Wed Dec 06, 2017 2:06 pm    Post subject:

I tried to use AOB scan and found the unique AOB and added the mov eax,14 code under newmem , I did it all and my pointer value turns to 20...BUT! it wrecks up both the codes and the game does not complete the roll and crashes.

Here is the AOB Injection Code:
 Code: { Game   : kopp2.exe   Version:   Date   : 2017-12-06   Author : Hp7600   This script does blah blah blah } [ENABLE] //code from here to '[DISABLE]' will be used to enable the cheat     aobscan(ROLL20,89 47 30 8B 05 ?? ?? ?? ?? 8B 40 28) // should be unique alloc(newmem,\$1000) label(code) label(return) newmem:   mov eax,14 code:   mov [edi+30],eax   mov eax,[0063EDE0]   jmp return ROLL20:   jmp newmem   nop   nop   nop   nop return: registersymbol(ROLL20) [DISABLE] //code from here till the end of the code will be used to disable the cheat ROLL20:   db 89 47 30 8B 05 ?? ?? ?? ?? 8B 40 28 unregistersymbol(ROLL20) dealloc(newmem) { // ORIGINAL CODE - INJECTION POINT: 0EF79804 0EF797E8: 6A 00                 -  push 00 0EF797EA: 50                    -  push eax 0EF797EB: 39 00                 -  cmp [eax],eax 0EF797ED: E8 86 D5 74 F5        -  call 046C6D78 0EF797F2: 83 C4 10              -  add esp,10 0EF797F5: 83 EC 08              -  sub esp,08 0EF797F8: 6A 15                 -  push 15 0EF797FA: 6A 01                 -  push 01 0EF797FC: E8 87 B3 F5 FF        -  call 0EED4B88 0EF79801: 83 C4 10              -  add esp,10 // ---------- INJECTING HERE ---------- 0EF79804: 89 47 30              -  mov [edi+30],eax 0EF79807: 8B 05 E0 ED 63 00     -  mov eax,[0063EDE0] // ---------- DONE INJECTING  ---------- 0EF7980D: 8B 40 28              -  mov eax,[eax+28] 0EF79810: 85 C0                 -  test eax,eax 0EF79812: 7E 0C                 -  jle 0EF79820 0EF79814: 8B 05 E0 ED 63 00     -  mov eax,[0063EDE0] 0EF7981A: 8B 40 28              -  mov eax,[eax+28] 0EF7981D: 89 47 30              -  mov [edi+30],eax 0EF79820: 8B 05 50 BF 46 11     -  mov eax,[1146BF50] 0EF79826: 83 EC 0C              -  sub esp,0C 0EF79829: 50                    -  push eax 0EF7982A: 39 00                 -  cmp [eax],eax }

And here are my observations about the memory changes :

 Code: ===A===Original 13604FD2 - 6A 01                 - push 01 { 1 } 13604FD4 - E8 775FF6FF           - call 1356AF50 13604FD9 - 83 C4 10              - add esp,10 { 16 } =======================Inject Here=================================== 13604FDC - 89 47 30              - mov [edi+30],eax 13604FDF - 8B 05 E0EDF903        - mov eax,[03F9EDE0] { [0FC87E10] } =======================-----------=================================== 13604FE5 - 8B 40 28              - mov eax,[eax+28] 13604FE8 - 85 C0                 - test eax,eax 13604FEA - 7E 0C                 - jle 13604FF8 ======= ===B===Activated 13604FD2 - 6A 01                 - push 01 { 1 } 13604FD4 - E8 775FF6FF           - call 1356AF50 13604FD9 - 83 C4 10              - add esp,10 { 16 } ======================Injected Here================================== ROLL20   - E9 1FB09FF3           - jmp 07000000 13604FE1 - 90                    - nop 13604FE2 - 90                    - nop 13604FE3 - 90                    - nop 13604FE4 - 90                    - nop =======================-------------================================= 13604FE5 - 8B 40 28              - mov eax,[eax+28] 13604FE8 - 85 C0                 - test eax,eax 13604FEA - 7E 0C                 - jle 13604FF8 ======= ===C===Deactivated 13604FD2 - 6A 01                 - push 01 { 1 } 13604FD4 - E8 775FF6FF           - call 1356AF50 13604FD9 - 83 C4 10              - add esp,10 { 16 } =======================Injection Removed============================= 13604FDC - 89 47 30              - mov [edi+30],eax 13604FDF - 8B 05 90909090        - mov eax,[90909090] { -1869574000 } =======================-----------------============================= 13604FE5 - 8B 40 28              - mov eax,[eax+28] 13604FE8 - 85 C0                 - test eax,eax 13604FEA - 7E 0C                 - jle 13604FF8 =======

so the code permenantly changes the 2nd line from
 Code: 13604FDF - 8B 05 E0EDF903        - mov eax,[03F9EDE0] { [0FC87E10] }

to

 Code: 13604FDF - 8B 05 90909090        - mov eax,[90909090] { -1869574000 }

while the 1st line remains unchanged. how do make it so the 2nd line returns back to its original value as well? and why does the code prevent the roll from completing?
Betcha
Expert Cheater
Reputation: 4

Joined: 13 Aug 2015
Posts: 180
Location: Somewhere In Space

Posted: Wed Dec 06, 2017 4:15 pm    Post subject:

Do AOB injection one line up. So it doesnt mess with the :

code:
mov [edi+30],eax
mov eax,[0063EDE0] <----
jmp return

Or try this :

 Code: [ENABLE] aobscan(ROLL20,89 47 30 8B 05 ?? ?? ?? ?? 8B 40 28) alloc(newmem,\$100) label(SaveThis) label(return) newmem:   mov eax,14   mov [edi+30],eax   jmp return SaveThis:   reassemble(ROLL20+3)   jmp return ROLL20:   jmp newmem   nop   nop   nop   nop return: registersymbol(ROLL20) registersymbol(SaveThis) [DISABLE] ROLL20:   db 89 47 30 reassemble(SaveThis) unregistersymbol(ROLL20) unregistersymbol(SaveThis) dealloc(newmem)
tottiy
Newbie cheater
Reputation: 0

Joined: 29 Jul 2013
Posts: 14

Posted: Wed Dec 06, 2017 6:53 pm    Post subject:

 Betcha wrote: Do AOB injection one line up

 Code: newmem:   mov eax,14<< code:   mov [edi+30],eax<<

Now it works thank you. but I still don't understand why using the code itself would break the next one apart?

this is the working code:
 Code: { Game   : kopp2.exe   Version:   Date   : 2017-12-07   Author : Hp7600   This script makes Travel Roll always 20. } [ENABLE] //code from here to '[DISABLE]' will be used to enable the cheat     aobscan(ROLL20,83 C4 10 89 47 30 8B 05 ?? ?? ?? ?? 8B 40 28) // should be unique alloc(newmem,\$1000) label(code) label(return) newmem:   mov eax,14 code:   add esp,10   mov [edi+30],eax   jmp return ROLL20:   jmp newmem   nop return: registersymbol(ROLL20) [DISABLE] //code from here till the end of the code will be used to disable the cheat ROLL20:   db 83 C4 10 89 47 30 unregistersymbol(ROLL20) dealloc(newmem) { // ORIGINAL CODE - INJECTION POINT: 13CAAC61 13CAAC45: 83 EC 08              -  sub esp,08 13CAAC48: 6A 00                 -  push 00 13CAAC4A: 50                    -  push eax 13CAAC4B: 39 00                 -  cmp [eax],eax 13CAAC4D: E8 26 C1 91 F0        -  call 045C6D78 13CAAC52: 83 C4 10              -  add esp,10 13CAAC55: 83 EC 08              -  sub esp,08 13CAAC58: 6A 15                 -  push 15 13CAAC5A: 6A 01                 -  push 01 13CAAC5C: E8 7F 02 F8 FF        -  call 13C2AEE0 // ---------- INJECTING HERE ---------- 13CAAC61: 83 C4 10              -  add esp,10 13CAAC64: 89 47 30              -  mov [edi+30],eax // ---------- DONE INJECTING  ---------- 13CAAC67: 8B 05 E0 ED E9 00     -  mov eax,[00E9EDE0] 13CAAC6D: 8B 40 28              -  mov eax,[eax+28] 13CAAC70: 85 C0                 -  test eax,eax 13CAAC72: 7E 0C                 -  jle 13CAAC80 13CAAC74: 8B 05 E0 ED E9 00     -  mov eax,[00E9EDE0] 13CAAC7A: 8B 40 28              -  mov eax,[eax+28] 13CAAC7D: 89 47 30              -  mov [edi+30],eax 13CAAC80: 8B 05 50 BF 57 11     -  mov eax,[1157BF50] 13CAAC86: 83 EC 0C              -  sub esp,0C 13CAAC89: 50                    -  push eax }
[/code]
Betcha
Expert Cheater
Reputation: 4

Joined: 13 Aug 2015
Posts: 180
Location: Somewhere In Space

Posted: Thu Dec 07, 2017 1:51 am    Post subject:

 tottiy wrote: I still don't understand why using the code itself would break the next one apart?

Instructions like this mov eax,[0063EDE0] love to change each time game is restarted.
As you can see, you did injection one line up and now the instruction is mov eax,[00E9EDE0]
It moves Address into eax, while that address holds some value what affects your dice rolls.
Once script is active it doesnt do its function or even worse the address replaces with wrong one.
So, yeah, thats why game can crash or bug the hell out when do injections with instructions like this.

The script i posted is with reassemble, what makes skip / save marked array of bytes while script active.
So when script is deactivated everything goes back to its original look. Have you tried it?
tottiy
Newbie cheater
Reputation: 0

Joined: 29 Jul 2013
Posts: 14

Posted: Thu Dec 07, 2017 12:43 pm    Post subject:

 Betcha wrote: The script i posted is with reassemble, what makes skip / save marked array of bytes while script active. So when script is deactivated everything goes back to its original look. Have you tried it?

I tried it but it gave me an error when I tried to assign it to my list
ERROR: Error in line 32 (reassemble(SaveThis)):SaveThis could not be found

reassemble? I've never seen this command before. what is it supposed to do?
Betcha
Expert Cheater
Reputation: 4

Joined: 13 Aug 2015
Posts: 180
Location: Somewhere In Space

 Posted: Thu Dec 07, 2017 12:53 pm    Post subject: Remove the line 32 and after Assign add it back. Ignore the error when pressing Ok, just click yes. You can read my old post with similar problem, will see what reassemble supposed to do. http://forum.cheatengine.org/viewtopic.php?p=5695436
tottiy
Newbie cheater
Reputation: 0

Joined: 29 Jul 2013
Posts: 14

Posted: Thu Dec 07, 2017 2:06 pm    Post subject:

 Betcha wrote: .....

It doesn't work it changes the AOB right after the code to A1 E0 instead of 8B 05
Betcha
Expert Cheater
Reputation: 4

Joined: 13 Aug 2015
Posts: 180
Location: Somewhere In Space

 Posted: Thu Dec 07, 2017 2:16 pm    Post subject: What happens in game, does the dice work or not? When deactivate script game crashes or everything fine? After deactivation it restores the instruction below as it was?
tottiy
Newbie cheater
Reputation: 0

Joined: 29 Jul 2013
Posts: 14

Posted: Thu Dec 07, 2017 4:02 pm    Post subject:

 Betcha wrote: What happens in game, does the dice work or not? When deactivate script game crashes or everything fine? After deactivation it restores the instruction below as it was?

The roll doesn't complete, probably because next code is lost.

Here is the code:

 Code: ===A===Original 13D72A02 - 6A 01                 - push 01 { 1 } 13D72A04 - E8 B7A3F7FF           - call 13CECDC0 13D72A09 - 83 C4 10              - add esp,10 { 16 } =======================Inject Here=================================== 13D72A0C - 89 47 30              - mov [edi+30],eax 13D72A0F - 8B 05 E0ED1701        - mov eax,[0117EDE0] { [11647E10] } =======================-----------=================================== 13D72A15 - 8B 40 28              - mov eax,[eax+28] 13D72A18 - 85 C0                 - test eax,eax 13D72A1A - 7E 0C                 - jle 13D72A28 ======= ===B===Activated 13D72A02 - 6A 01                 - push 01 { 1 } 13D72A04 - E8 B7A3F7FF           - call 13CECDC0 13D72A09 - 83 C4 10              - add esp,10 { 16 } ======================Injected Here================================== ROLL20   - E9 EFD590F0           - jmp 04680000 13D72A11 - 90                    - nop 13D72A12 - 90                    - nop 13D72A13 - 90                    - nop 13D72A14 - 90                    - nop =======================-------------================================= 13D72A15 - 8B 40 28              - mov eax,[eax+28] 13D72A18 - 85 C0                 - test eax,eax 13D72A1A - 7E 0C                 - jle 13D72A28 ======= ===C===Deactivated 13D72A02 - 6A 01                 - push 01 { 1 } 13D72A04 - E8 B7A3F7FF           - call 13CECDC0 13D72A09 - 83 C4 10              - add esp,10 { 16 } =======================Injection Removed============================= 13D72A0C - 89 47 30              - mov [edi+30],eax 13D72A0F - A1 E0ED1701           - mov eax,[0117EDE0] { [11647E10] } 13D72A14 - 90                    - nop =======================-----------------============================= 13D72A15 - 8B 40 28              - mov eax,[eax+28] 13D72A18 - 85 C0                 - test eax,eax 13D72A1A - 7E 0C                 - jle 13D72A28 =======
 Display posts from previous: All Posts1 Day7 Days2 Weeks1 Month3 Months6 Months1 Year Oldest FirstNewest First
 All times are GMT - 6 Hours Page 1 of 1

 Jump to: Select a forum Cheat Engine----------------Cheat EngineCheat Engine Lua ScriptingCheat Engine TutorialsGeneral GamehackingAuto Assembler tutorialsPointer tutorialsGame specific tutorialsWebbrowser stuff related tutorialsConsole ModdingLUA TutorialsLua Extensions General Discussions----------------General DiscussionsArtComputer TalkRandom spamArt RequestsArt TutorialsWillekeurige RotzooiGuestsHorse Excrement Cheat Requests----------------Single player cheat request Cheat Engine Downloads----------------TablesTrainersAuto Assemble scripts Coding----------------Cheat Engine SourceCETC Server and ClientsDBVMPlugin developmentGeneral programmingBinariesCrackmesGeneral programming+Game Development2D Graphics3D ModelingGameplay designWeb Development Games----------------Flash GamesGaia OnlineStick Arena
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum